Description

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. This way, the attacker could execute code, read the stack or cause segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

To understand the attack it’s necessary to explain the components that constitute it. They are:
•The Format Function is an ANSI C conversion function, like printf, fprintf, which converts primitive variable of the programming language in a human readable string representation.

•The Format String is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: printf ("The magic number is: %d\n", 1911);

•The Format String Parameter, like %x %s defines the type of conversion of the format function.

The attack could be executed when the application doesn’t validate properly the submitted input. In this case if a Format Strings parameter, like %x, is inserted in the posted data, the string is parsed by the Format Function the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack.

This way is possible to define a well crafted input that could change the behavior of the format function permitting the attacker to cause deny of service or to execute arbitrary commands.

If the application uses Format Functions in the source-code which is able to interpret formatting characters, the attacker could explore the vulnerability inserting formatting characters in a form of the website. For example, the printf function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below:

printf (userName);

Following some examples in the table 2 of Format Functions, which if not treated can expose the application to the Format String Attack.

Format function

Description

fprint

Writes the printf to a file

printf

Output a formatted string

sprintf

Prints into a string

snprintf

Prints into a string checking the length

vfprintf

Prints the a va_arg structure to a file

vprintf

Prints the va_arg structure to stdout

vsprintf

Prints the va_arg to a string

vsnprintf

Prints the va_arg to a string checking the length

Table 1. Format Functions

Below there are some format parameters which can be used and its consequences:

•"%x" Read data from the stack

•"%s" Read character strings from the process' memory

•"%n" Write an integer to locations in the process' memory

To discover whether the application is vulnerable to this type of attack, it´s necessary to verify if the format function accepts and parses the format string parameters show in the table 2.

Format strings parameters:

Parameters

Output

Passed as

%%

% character (literal)

Reference

%p

External representation of a pointer to void

Reference

%d

Decimal

Value

%c

Character

%u

Unsigned decimal

Value

%x

Hexadecimal

Value

%s

String

Reference

%n

Writes the number of characters into a pointer

Reference

Table 2. Common parameters use to Format String Attack.

Examples

Example1

The example has the intention to demonstrate how the application can behave when the format function does not receive the necessary treatments for the validation in the input of format string.

First it will be shown the application operating with normal behavior and normal inputs, then, the application operating when the attacker input the format string and the resultant behavior.

Now the format string vulnerability will be explored. If the format string parameter “%x %x” is inserted in the input string, when the format function parses the argument, the output will display the name Bob, but instead of showing the %x string, the application will show the content of a memory address.

When the application prints the results, the format function will interpret the format strings inputs showing the content of a memory address.

Example 2

Denial of Service

In this case, when an invalid address of memory is requested, normally the program is terminated, taking this as an example in a function:

printf (userName);

The attacker could insert a sequence of format strings, making the program to show the memory address where a lot of other data are stored, then, the attacker increases the possibilities of the program to read an illegal address, crashing the program and causing its non-availability.